Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.

INFO

Published Date :

2026-02-06T19:16:26.005Z

Last Modified :

2026-02-06T20:24:33.963Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25643 vulnerability.

Vendors Products
Blakeblackshear
  • Frigate
Frigate
  • Frigate
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25643.

URL Resource
https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4 cve-icon cve-icon
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact